7.8

CVE-2018-16875

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version < 1.10.6
GolangGo Version >= 1.11.0 < 1.11.3
OpensuseLeap Version42.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.33% 0.927
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 7.8 10 6.9
AV:N/AC:L/Au:N/C:N/I:N/A:C
secalert@redhat.com 5.9 2.2 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0
https://security.gentoo.org/glsa/201812-09
Third Party Advisory
Mitigation
http://www.securityfocus.com/bid/106230
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875
Third Party Advisory
Issue Tracking